Line-Point Zero Knowledge and Its Applications - Schloss Dagstuhl
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Line-Point Zero Knowledge and Its Applications
Samuel Dittmer #
Stealth Software Technologies Inc., Los Angeles, CA, USA
Yuval Ishai #
Department of Computer Science, Technion, Haifa, Israel
Rafail Ostrovsky #
Department of Computer Science and Mathematics, University of California, Los Angeles, CA, USA
Abstract
We introduce and study a simple kind of proof system called line-point zero knowledge (LPZK). In
an LPZK proof, the prover encodes the witness as an affine line v(t) := at + b in a vector space
Fn , and the verifier queries the line at a single random point t = α. LPZK is motivated by recent
practical protocols for vector oblivious linear evaluation (VOLE), which can be used to compile
LPZK proof systems into lightweight designated-verifier NIZK protocols.
We construct LPZK systems for proving satisfiability of arithmetic circuits with attractive
efficiency features. These give rise to designated-verifier NIZK protocols that require only 2-5 times
the computation of evaluating the circuit in the clear (following an input-independent preprocessing
phase), and where the prover communicates roughly 2 field elements per multiplication gate, or
roughly 1 element in the random oracle model with a modestly higher computation cost. On the
theoretical side, our LPZK systems give rise to the first linear interactive proofs (Bitansky et al.,
TCC 2013) that are zero knowledge against a malicious verifier.
We then apply LPZK towards simplifying and improving recent constructions of reusable non-
interactive secure computation (NISC) from VOLE (Chase et al., Crypto 2019). As an application,
we give concretely efficient and reusable NISC protocols over VOLE for bounded inner product, where
the sender’s input vector should have a bounded L2 -norm.
2012 ACM Subject Classification Security and privacy → Information-theoretic techniques
Keywords and phrases Zero-knowledge proofs, NIZK, correlated randomness, vector oblivious linear
evaluation, non-interactive secure computation
Digital Object Identifier 10.4230/LIPIcs.ITC.2021.5
Related Version Full Version: https://eprint.iacr.org/2020/1446 [23]
Funding Supported by DARPA Contract No. HR001120C0087. Y. Ishai supported in part by ERC
Project NTSC (742754), NSF-BSF grant 2015782, BSF grant 2018393, and ISF grant 2774/20. Any
opinions, findings and conclusions or recommendations expressed in this material are those of the
author(s) and do not necessarily reflect the views of DARPA. Distribution Statement “A” (Approved
for Public Release, Distribution Unlimited).
1 Introduction
Zero-knowledge proofs, introduced by Goldwasser, Micali, and Rackoff [29] in the 1980s,
are commonly viewed as a gem of theoretical computer science. For many years, they were
indeed confined to the theory domain. However, in the past few years we have seen explosive
growth in research on concretely efficient zero-knowledge proof systems. This research is
motivated by a variety of real-world applications. See [49] for relevant pointers.
Designated-verifier NIZK
There are many different kinds of zero-knowledge proof systems. Here we mainly consider
the setting of designated-verifier, non-interactive zero knowledge (dv-NIZK), where the proof
consists of a single message from the prover to the verifier, but verification requires a secret
© Samuel Dittmer, Yuval Ishai, and Rafail Ostrovsky;
licensed under Creative Commons License CC-BY 4.0
2nd Conference on Information-Theoretic Cryptography (ITC 2021).
Editor: Stefano Tessaro; Article No. 5; pp. 5:1–5:24
Leibniz International Proceedings in Informatics
Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany5:2 Line-Point Zero Knowledge and Its Applications
verification key that is known only to the verifier and is determined during a (reusable)
setup phase. Moreover, we consider by default computationally sound proofs, also known as
arguments. Designated-verifier NIZK has a rich history starting from [39]; see [43, 40, 19]
and references therein for recent works in the area. We will typically consider a more
restrictive setting, sometimes referred to as preprocessing NIZK, where also the prover needs
to hold secret information. In this variant of dv-NIZK the prover and the verifier engage
in a (typically inexpensive and reusable) interaction during an offline preprocessing phase,
before the inputs are known. In the end of the interaction the prover and the verifier obtain
correlated secret randomness that is consumed by an online protocol in which the prover can
prove multiple statements to the verifier. While this preprocessing model will be our default
model for NIZK, our results are relevant to both kinds of dv-NIZK.
Efficiency of proof systems
We are primarily motivated by the goal of improving the efficiency of zero-knowledge proofs.
There are several metrics for measuring efficiency of proof systems. Much of the research in
this area focuses on improving succinctness, which refers both to the proof length and to the
verifier’s running time. This is highly relevant to the case of publicly verifiable proofs that
are generated once and verified many times. However, in the case of a proof that is verified
once by a designated verifier, other complexity metrics, such as prover’s running time and
space, can become the main performance bottlenecks. Indeed, state-of-the-art succinct proof
systems, such as zk-SNARKs based on pairings [30] or IOPs [7], typically incur high concrete
prover computation costs when scaled to large verification tasks. Moreover, they require a big
amount of space, and are not compatible with a “streaming” mode of operation in which the
proof is generated on the fly together with the computation being verified. On the other hand,
non-succinct or semi-succinct proof systems based on the “MPC-in-the-head” [35, 27, 18, 37],
garbled circuits [24, 31], or interactive proofs [28, 46, 48], scale better to big verification
tasks.
Minimizing prover complexity
Our goal is to push the advantages of non-succinct zero-knowledge proof systems to their
limits, focusing mainly on optimizing the prover’s computation. This can be motivated by
settings in which the prover and the verifier are connected via a fast local network. An
extreme case is that of physically connected devices, for which the distinction between
computation and communication is blurred. Alternatively, one can think of scenarios in
which the proofs can be generated and stored offline on the prover side and only verified at
a later point, or possibly not at all. Another motivating scenario is one where the statement
is short and simple, but is kept secret from the verifier. In this setting, which comes up in
applications such as “commit-and-prove” and NISC on small inputs (which will be discussed
later), the concrete overhead of “asymptotically succinct” systems is too high. Finally, if
the witness is secret-shared between multiple provers and the proof needs to be generated
in a distributed way, the prover’s computation is likely to become a bottleneck. All of
the above reasons motivate a systematic study of minimizing the prover’s complexity in
zero-knowledge proofs.
Achieving constant computational overhead
We consider the goal of zero-knowledge proofs with constant computational overhead, namely
where the total computational cost (and in particular the prover’s computation) is only
a constant times bigger than the cost of performing the verification in the clear. In theS. Dittmer, Y. Ishai, and R. Ostrovsky 5:3
case of proving the satisfiability of a Boolean circuit, this question is still open, and the
best computational overhead is polylogarithmic in a statistical security parameter [20].
However, when considering arithmetic circuits over a big finite field F and settling for
O(1/|F|) soundness error, this goal becomes much easier. The first such proof system was
given by Bootle et al. [11], who also achieved “semi-succinctness.” However, the underlying
multiplicative constants are very big, and this system is not considered practical. A more
practical approach uses variants of the GKR interactive proofs protocol [46, 48, 47]. Here
the concrete computational overhead is smaller, but still quite big: roughly 20x overhead in
the best-case scenario of “layered” arithmetic circuits. On top of that, this overhead is only
relevant when the verification circuit is much bigger than the witness size. In some of the
applications we consider (such as the NISC application discussed below), this will not be
the case.
A third approach, which is most relevant to our work, relies on oblivious linear evaluation
(OLE) [42, 36] and its vector variant (VOLE) [2]. An OLE is an arithmetic variant of
oblivious transfer, allowing the receiver, on input α, to learn a linear combination aα + b
of two ring elements held by the sender. VOLE is a natural vector analogue of OLE: the
receiver learns aα + b for a pair of vectors a, b held by the sender. The idea of using random
precomputed instances of OLE and VOLE towards zero-knowledge proofs with constant
computational overhead was suggested in [12, 19]. This is motivated by recent techniques for
securely realizing pseudorandom instances of (V)OLE with sublinear communication and
good concrete overall cost [12, 13, 44, 16, 15]. However, these protocols for zero knowledge
from (V)OLE still suffered from a high concrete overhead. For instance, the protocol from [19]
requires 44 instances of OLE for each multiplication gate. Recent and concurrent works by
Weng et al. [45] and Baum et al. [6] improved this state of affairs. We discuss these works
and compare them to our own in the full version of this paper [23].
1.1 Our contribution
Motivated by the goal of minimizing prover complexity in zero-knowledge proofs, we introduce
and study a simple kind of proof systems called line-point zero knowledge. We then apply
this proof system towards obtaining simple, concretely efficient, and reusable protocols for
non-interactive secure computation. We elaborate on these results below. We defer many
proofs to the full version of our paper [23].
Line-point zero knowledge
A recent work of Boyle et al. [12], with improvements in [13, 44], has shown how to securely
generate a long, pseudorandom instance of a vector oblivious linear evaluation (VOLE)
correlation with low communication complexity (sublinear in the vector length) and good
concrete efficiency. Here we show how to use this for implementing simple and efficient
dv-NIZK protocols for circuit satisfiability, improving over similar protocols from [12, 19]. In
particular, previous protocols involve multiple VOLE instances and have a large (constant)
overhead in communication and computation compared to the circuit size.
The goal of reducing NIZK to a single instance of VOLE motivates the key new tool
we introduce: a simple kind of information-theoretic proof system that we call line point
zero knowledge (LPZK). In an LPZK proof, the prover P generates from the witness w (a
satisfying assignment) an affine line v(t) := at + b in an n-dimensional vector space Fn . The
verifier queries a single point v(α) = aα + b on this line, and determines whether to accept
or reject. We call this proof system LPZK over F of length (or dimension) n. We define the
LPZK model formally along with more refined cost metrics in Section 2.1.
ITC 20215:4 Line-Point Zero Knowledge and Its Applications
Information-theoretic LPZK construction
We start by showing the existence of an LPZK for arithmetic circuit satisfiability (an NP-
complete problem), where the dimension n and computational costs scale linearly with the
circuit size.
▶ Theorem 1 (LPZK for arithmetic circuit satisfiability). For any NP-relation R(x, y) and
finite field F, there exists an LPZK system for R over F with soundness error O(1/|F|).
Concretely, in the case of proving the satisfiability of an arithmetic circuit C over F, we have
an LPZK over F with dimension n = O(|C|), soundness error ε = O(1/|F|), and where the
prover and verifier can be implemented by arithmetic circuits of size O(|C|).
As an information-theoretic proof system, LPZK can be viewed as a simple instance of a
(1-round) zero-knowledge linear interactive proof (LIP) [9], in which the verifier sends a single
field element to the prover. Theorem 1 implies the first such system that is zero knowledge
even against a malicious verifier.
From LPZK to NIZK over random VOLE
It is easy to convert an LPZK into an NIZK protocol in the rVOLE-hybrid model, namely
with a trusted setup in which the prover P receives a random pair of vectors a′ , b′ ∈ Fn ,
while the verifier V receives a random field element α ∈ F and the vector a′ α + b′ . This
uses a standard reduction from VOLE to rVOLE; see Section 2.2 for details. We refer to the
length of the vectors a′ , b′ as the rVOLE length.
The rVOLE setup, whose efficient implementation will be discussed later, allows the
prover to compress the LPZK proof by eliminating entries that can be picked at random
independently of the input. Using this and other optimizations, we obtain an information-
theoretic NIZK protocol in the rVOLE-hybrid model with the following concrete efficiency
features.
▶ Theorem 2 (NIZK over a single random VOLE). Fix an integer t ≥ 1. There exists an
(unconditional, perfect zero-knowledge) NIZK protocol in the rVOLE-hybrid model that proves
the satisfiability of an arithmetic circuit C over a field F, where C has k inputs, k ′ outputs
and m multiplication gates, with the following security and efficiency features:
Soundness error ε = 2t/|F|;
Communication k + k ′ + (2 + 1t )m field elements from P to V ;
rVOLE length n = k + 2m field elements;
Computation Assuming the cost of field additions is negligible compared to multiplica-
tions, the computation of the prover is less than 4 times the cost of evaluation in the clear,
and the computation of the verifier is less than 5 times the cost of evaluation in the clear.
VOLE instantiations
The random VOLE required by Theorem 2 can be instantiated in a variety of ways. For
instance, one could use a 2-message protocol in the CRS model based on Paillier’s encryption
scheme, which yields statistical dv-NIZK arguments for NP from the DCRA assumption [19].
Other efficient VOLE implementations under different assumptions appear in [2, 22, 5]. In
terms of asymptotic efficiency, random VOLE can be implemented with constant multiplicative
computational overhead under plausible variants of the learning parity with noise (LPN)
assumption over big fields [2, 12]. From a concrete efficiency viewpoint, the most appealing
current VOLE implementations rely on pseudorandom correlation generators (PCGs) [12,S. Dittmer, Y. Ishai, and R. Ostrovsky 5:5
13, 44]. A PCG for VOLE enables a “silent” generation of a long random VOLE correlation
by locally expanding a pair of short, correlated seeds. This local expansion can be done in
near-linear or even linear time, and may be carried out in an offline phase before the statement
is known. The secure generation of the correlated seeds can also be done by a concretely
efficient, low-communication protocol. Optimized pseudorandom function analogs of PCG
that enable random access to the outputs of a virtually unbounded VOLE correlation were
recently considered in [15]. The above approaches generally lead to a preprocessing NIZK,
where both the verifier and the prover are fixed in advance. However, using 2-round protocols
for VOLE with security against malicious receivers [19, 13], LPZK can be compiled into
dv-NIZK protocols in which the same (short) verifier message can be used by different provers.
1.2 Improving proof size in the random oracle model
Inspired by the concurrent1 work of Weng et al. [45], we can improve the communication
cost of our proofs in the random oracle model by a factor of 2 (asymptotically) at the cost of
a modest increase of prover and verifier computation, in the form of calls to a cryptographic
hash function. Note that other attractive features of LPZK such as space- and streaming-
friendliness are maintained. See [23] for a detailed comparison between the results of [45]
and our work.
▶ Theorem 3 (NIZK over random VOLE in the ROM). Fix an integer r ≥ 1. There exists an
(unconditional) NIZK protocol in the RO-rVOLE-hybrid model that proves the satisfiability
of an arithmetic circuit C over a field F, where C has k inputs and m multiplication gates
and ℓ is the number of oracle calls a malicious prover P ∗ makes, with the following features:
Soundness error ε = |F| 2
+ |F|ℓ r ;
′
Communication k + k + m + 2r field elements from P to V ;
rVOLE length n = k + m + r field elements;
Computation Computation of O(r|C|) field operations and 1 cryptographic hash call
(from Fm to Fmr ) for both the prover and the verifier.
1.3 Reusable NISC from LPZK via certified VOLE
A non-interactive secure computation (NISC) protocol [34] is a two-party protocol that
securely computes a function f (x, y) using two messages: a message by a receiver, encrypting
its input x, followed by a message by a sender, that depends on its input y. The output f (x, y)
is only revealed to the receiver. A major challenge is making such protocols secure even
when either party can be malicious. Another challenge is to make such protocols reusable,
in the sense that the same encrypted input x can be used to perform computations with
many sender inputs yi without violating security. This should hold even when a malicious
sender can learn partial information about the honest receiver’s output, such as whether
the receiver “aborts” after detecting an inconsistent sender behavior. Existing NISC (or
even NIZK) protocols based on parallel calls to oblivious transfer (OT) and symmetric
cryptography [39, 34, 1, 41] are not fully reusable, and this is in some sense inherent [19].
Chase et al. [19] recently showed how to realize reusable NISC by using parallel instances
of VOLE instead of OT. This can be seen as a natural extension of the LPZK model, where
the receiver randomly encodes its NISC input x into multiple points αi and the sender
1
Most of the present work was done concurrently and independently of [45]. We explicitly point out the
improvements that are based on ideas from [45].
ITC 20215:6 Line-Point Zero Knowledge and Its Applications
randomly encodes is input y into corresponding lines vi (t). Here reusability refers to fixing
the VOLE inputs (points) αi generated by an honest receiver on input x and reusing them
in multiple interactions with a malicious sender.
On top of the reusability feature, another advantage of the VOLE-based protocol, which
is inherited from earlier protocols with security against semi-honest senders [32, 3], is that it
“natively” supports simple arithmetic computations over the VOLE field. This is contrasted
with NISC protocols over OT [34, 1, 41], which apply to Boolean circuits and are expensive
to adapt to arithmetic computations.
We provide an alternative construction of reusable NISC over VOLE that uses LPZK to
protect against malicious senders. Our approach significantly simplifies the protocol from
[19] and results in much better concrete constants.
NISC for bounded inner product
To illustrate the concrete efficiency potential of our NISC technique, we optimize it for a
simple application scenario. Consider an “inner product” functionality that measures the level
of similarity (or correlation) between receiver feature vector x and a sender feature vector y,
where the same x can be reused with multiple sender inputs yi . Here we view both x and y
as integer vectors that are embedded in a sufficiently large finite field. An obvious problem
is that the ideal functionality allows a malicious sender to scale its real input by an arbitrary
multiplicative factor, thereby increasing the perceived similarity. To prevent this attack, we
modify the functionality to bound the L2 norm of the sender’s input. In this way, the sender’s
strategy is effectively restricted to choosing the direction of a unit vector, where the bound
on the norm determines the level of precision. For this bounded inner product functionality,
we obtain a concretely efficient protocol that offers reusable malicious security. Even when
considering malicious security alone, without reusability, previous techniques for NISC are
much less efficient for such simple arithmetic functionalities. To give just one data point,
for vectors of length 1000 over F, with |F| ≈ 264 and sender L2 norm bounded by 1024, our
protocol requires 1002 instances of VOLE with a total of 21,023 entries and communication
of 36,047 field elements (roughly 282 kB) after the offline generation of VOLE instances.
Given recent methods for “silent” generation of multiple VOLE instances [13, 44, 16, 15],
the amortized cost of setting up the required VOLE instances is small.
1.4 Overview of techniques
From LPZK to NIZK via random VOLE. An LPZK proof system can be directly realized by
a single instance of VOLE, where the prover’s line v(t) := at + b ∈ Fn determines the VOLE
sender’s input (a, b) and the verifier’s point α is used as the VOLE receiver’s input. A further
observation is that this single VOLE instance can be easily reduced to a random VOLE
functionality that assigns to the prover a uniformly random pair of vectors (a′ , b′ ) each in Fn
and to the verifier a uniformly random value α ∈ F and v′ = a′ α + b′ . Indeed, the prover
can send (a − a′ ) and (b − b′ ) to the verifier, who computes v(α) = v′ + (a − a′ )α + (b − b′ ).
This requires communication of 2n field elements on top of the pre-processing step required
to set up the random VOLE instance. Combined with efficient protocols for generating long
instances of random VOLE, this gives rise to dv-NIZK protocol in which the offline phase
consists of secure generation of random VOLE and the online phase uses the random VOLE
as a “one-time pad” for realizing LPZK.S. Dittmer, Y. Ishai, and R. Ostrovsky 5:7
Constructing information-theoretic LPZK proofs
Our information-theoretic LPZK construction follows the general template of similar kinds of
proof systems: the verification circuit is evaluated in two different ways that depend on secret
randomness picked by the verifier, and the verifier accepts if the two evaluations are consistent.
Zero knowledge is obtained by masking the values revealed to the verifier using randomness
picked by the prover. This high level approach was used in previous information-theoretic
zero-knowledge proof systems (such as succinct zero-knowledge linear PCPs [4, 33, 26, 9]),
actively secure computation protocols (such as the SPDZ line of protocols [8, 21]), and
circuits resilient to additive attacks [25]. Our LPZK systems most closely resemble the
“homomorphic MAC” approach used for actively secure computation in the preprocessing
model [8, 21], but differ in the low-level details.
More concretely, we construct LPZK for proving the satisfiability of an arithmetic
circuit C by encoding intermediate wire values in the vector a and masking these values with
randomness in b. This is an information-theoretic encryption: If the verifier holds v1 (α) :=
a1 α + b1 and α, where a1 is sampled from some distribution and b1 is chosen uniformly at
random from F, the distribution of v1 (α) holds no information about a1 .
We can “add” two encrypted wires v1 (t) = a1 t + b1 and v2 (t) = a2 t + b2 non-interactively
for free; the prover adds to obtain (a1 + a2 )t + (b1 + b2 ), and the verifier adds v1 (α) + v2 (α) =
(a1 + a2 )α + (b1 + b2 ).
To multiply v1 and v2 , the prover seeks to construct the encrypted wire a1 a2 t + b, for
some value b. When the prover multiplies v1 (t) · v2 (t) they obtain a quadratic in t. By
adding and subtracting a masking term b3 t, they can write v1 (t)v2 (t) = tv3 (t) + v4 (t),
with v3 (t) = a1 a2 t + (b1 a2 + b2 a1 − b3 ) and v4 (t) = b3 t + b1 b2 , so that v3 (t) is the desired
encryption of a1 a2 and satisfies v3 (t) = (v1 (t)v2 (t) − v4 (t))/t. The verifier learns vi (α),
for 1 ≤ i ≤ 4 from the LPZK, and accepts if
v1 (α)v2 (α) − v4 (α)
v3 (α) = ,
α
and rejects otherwise. Finally, to open the value of an encrypted wire v(t) = at + b, the
prover sends b to the verifier who computes a = (v(α) − b)/α.
Certified VOLE
As a building block for NISC, we build a certified variant of VOLE. This primitive is useful
for invoking several parallel instances of VOLE while assuring the receiver that a given
circuit C is satisfied when its inputs are a certain subset of the entries of the VOLEs.
We construct fully general certified VOLE from a weaker construction, distributional
VOLE with equality constraints. This construction allows us to move all inputs to C to a single
VOLE instance. The sender and receiver then prove that C is satisfied using LPZK NIZK.
This weaker variant, which we call eVOLE, is distributional, because it requires the VOLE
inputs from the receiver to be chosen independently and uniformly at random. In general
certified VOLE, which we call cVOLE, we use two additional evaluation points α, β, and
perform an affine shift to the receiver’s inputs, replacing (α1 , . . . , αn ) with (α + α1 , . . . , α +
αn , α, β).
This forces all receiver inputs to be uniformly random, and every input besides β is
independent of β. We move all inputs to C to the VOLE instance with receiver input β, and
use the VOLE instance with input α to reverse the affine shift of the receiver’s inputs.
ITC 20215:8 Line-Point Zero Knowledge and Its Applications
From certified VOLE to NISC
Following [19], our NISC protocol is obtained from certified VOLE in a conceptually straight-
forward way: we start with existing protocols for arithmetic branching programs [32, 3]
that achieve security against a malicious receiver and semi-honest sender. We then protect
the receiver against a malicious sender by using certified VOLE to enforce honest behavior.
This yields a statistically secure reusable NISC protocol for “simple” arithmetic functions
represented by polynomial-size arithmetic branching programs. We can bootstrap this to get
reusable NISC over VOLE for general Boolean circuits using the approach of [19]; however,
this comes at the cost of making a non-black-box use of a pseudorandom generator and losing
the concrete efficiency features of the arithmetic variant of the protocol.
2 LPZK and random VOLE
In this section we give a formal definition of our new notion of LPZK proof system and show
how to compile such a proof system into a designated-verifier NIZK when given a random
VOLE correlation.
2.1 Defining LPZK
While an LPZK proof system can be defined for any NP-relation, we focus here on the case
of arithmetic circuit satisfiability that we use for describing our constructions. Our definition
can be seen as a simple restriction of the more general notion of (1-round) zero-knowledge
linear interactive proof [9] that restricts the verifier to sending a single field element.
Here and in the following, we work in an arithmetic model in which probabilistic polynomial
time (PPT) algorithms can sample a uniformly random element from a finite field F and
perform field operations at a unit cost. All of the protocols we describe make a black-box
use of the underlying field F.
▶ Definition 4 (LPZK). A line-point zero-knowledge (LPZK) proof system for arithmetic
circuit satisfiability is a pair of algorithms (Prove, Verify) with the following syntax:
Prove(F, C, w) is a PPT algorithm that given an arithmetic verification circuit C : Fk →
′
Fk and a witness w ∈ Fk , outputs a pair of vectors a, b ∈ Fn that specify an affine line
v(t) := at + b. We assume that the dimension n is determined by C.
Verify(F, C, α, vα ) is a polynomial-time algorithm that, given an evaluation vα of the line
v(t) at some point α ∈ F, outputs acc or rej.
The algorithms (Prove, Verify) should satisfy the following:
′
Completeness. For any arithmetic circuit C : Fk → Fk and witness w ∈ Fk such that
C(w) = 0, and for any fixed α ∈ F, we have
R
Pr[v(t) ←
− Prove(F, C, w) : Verify(F, C, α, v(α)) = acc] = 1.
′
Reusable ε-soundness. For every arithmetic circuit C : Fk → Fk such that C(w) ̸= 0
for all w ∈ Fk , and every (adversarially chosen) line v∗ (t) = a∗ t + b∗ , where the length
R
n of v∗ depends on C as above, we have Pr[α ← − F : Verify(F, C, α, v∗ (α)) = acc] ≤ ε.
∗
Moreover, for every F, C, v (t) the probability of Verify accepting (over the choice of α)
is either 1 or ≤ ε. Unless otherwise specified, we assume ε ≤ O(1/|F|).S. Dittmer, Y. Ishai, and R. Ostrovsky 5:9
Perfect zero knowledge. There exists a PPT simulator Sim such that, for any arithmetic
′
circuit C : Fk → Fk , any witness w ∈ Fk such that C(w) = 0, and any α ∈ F, the output
of Sim(F, C, α) is distributed identically to v(α), where v(t) is the affine line produced by
Prove(F, C, w).
The reusable soundness requirement guarantees that even by observing the verifier’s decision
bit on a maliciously chosen circuit C, and line v∗ (t) = a∗ t + b∗ , the prover learns essentially
nothing about the verifier’s secret point α, which allows the same α to be reused without
substantially compromising soundness.
Proof of Knowledge
For simplicity, we focus here on (reusable) soundness and ignore the additional proof of
knowledge property. However, the LPZK systems we construct all satisfy this stronger
notion of soundness (see [9] a definition of proofs of knowledge in the context of linear proof
systems). More formally, there is an efficient extractor that can extract a valid witness from
any (maliciously generated) line that makes the verifier accept with > ε probability.
Computational LPZK
The above definition considers our main information-theoretic flavor of LPZK, with statistical
soundness and perfect zero knowledge. Computational variants of LPZK can be defined
analogously. In particular, we will later consider computationally sound LPZK in the random
oracle model, which bounds the number of oracle queries made by a malicious prover.
Complexity measures for LPZK: (n, n′ , n′′ )-LPZK
In addition to the dimension/length parameter n, we use two other parameters n′ and n′′
as complexity measures for LPZK. These will help us obtain a more efficient compiler from
LPZK to NIZK that takes advantage of verifier outputs that are either known by the prover
(namely, are independent of α) or entries of a, b that can be picked at random independently
of w. Concretely, the parameter n′′ is the number of entries of a that are always equal to
zero; we assume without loss of generality that these are the last n′′ entries. The parameter
n′ measures the total number of entries of the first n − n′′ entries of a and b that functionally
depend on w. To take advantage of the random VOLE setup, we assume the remaining
2n − 2n′′ − n′ entries are picked uniformly and independently at random, and then these n′
entries are determined by w and the random entries. We will assume that the parameters
(n, n′ , n′′ ) as well as the identity of the entries of each type are determined by the public
information C.
2.2 Compiling LPZK to NIZK over random VOLE
We now describe and analyze a simple compiler that takes an LPZK proof system as defined
above and converts it into a (designated verifier) NIZK protocol that relies on a random
VOLE correlation, where the prover gets a random pair of vectors a′ , b′ ∈ Fn specifying an
affine line a′ t + b′ in Fn and the verifier gets the value of the line at a random point α ∈ F,
namely v′ = a′ α + b′ . Similarly to previous VOLE-based compilers from [12, 19], we rely on
the simple known reduction from VOLE to random VOLE. Our compiler takes advantage of
the extra parameters n′ and n′′ of the LPZK, which help reduce the cost of the NIZK below
the 2n field elements communicated by the natural generic compiler.
ITC 20215:10 Line-Point Zero Knowledge and Its Applications
▶ Lemma 5 (From LPZK to NIZK). Given (n, n′ , n′′ )-LPZK over F with soundness error ε,
there is an NIZK protocol that uses a single instance of random VOLE of length n − n′′ and
requires communication of n′ + n′′ field elements from the prover to the verifier.
Proof. Let a, b ∈ Fn be the vectors for the prover’s line at + b. The prover and verifier
are given a random VOLE of length n, so that the prover holds (a′ , b′ ), and the verifier
holds v′ = a′ α + b′ for a random α ∈ F.
We recall a simple self-reduction property of VOLE (see e.g. [12]) that allows us to
replace a random pair (a′ , b′ ) with the pair (a, b) as follows. The prover sends vectors a′ − a
and b′ − b to the verifier, who then computes
v = v′ + α(a′ − a) + (b′ − b)
Finally, the prover sends the final n′′ values of b to the verifier in the clear, and the
verifier appends these values to v.
For any entry of a, b that should be chosen randomly for LPZK, the prover sets the
corresponding entry of a′ − a or b′ − b to zero, and so no communication is required for
those entries. The entire reduction requires a random VOLE of length n with communication
of n′ +n′′ field elements, as desired. The security completeness, soundness, and zero knowledge
properties of the above NIZK protocol are inherited directly from the corresponding properties
of the LPZK. ◀
UC security
While we only consider here a standard standalone security definition for NIZK proofs [29, 10],
all of our LPZK-based NIZK protocols are in fact UC-secure NIZK protocols (e.g., in the
sense of [17]) in the rVOLE-hybrid model. This is the typical situation for information-
theoretic protocols.
Using a corruptible random VOLE functionality
When using a pseudorandom correlation generator (PCG) for generating the random VOLE
correlation with sublinear communication complexity [12, 14, 44], what is actually realized
is a so-called “corruptible” random VOLE functionality that allows the malicious party to
choose its output, and then samples the honest party’s output conditioned on this choice.
The transformation of Lemma 5 remains secure even when using this corruptible VOLE
functionality. Indeed, it was already observed in [12] that the reduction of VOLE to random
VOLE remains secure even when using corruptible random VOLE, and the LPZK to NIZK
transformation builds on this reduction.
3 Single gate example
To clarify the exposition, we begin with an example where the prover wishes to convince
the verifier that they hold a triple of values x, y, z satisfying xy = z. More precisely, the
prover and verifier realize a commit-and-prove functionality for the triple (x, y, z) and the
relation R(x, y, z) := xy − z. We prove that our single gate example satisfies this stronger
flavor of ZK, which is meaningful even for finite functions. Note that our LPZK construction
is adapted from this single gate example, rather than directly built up from it, so this proof
and the proof in Section 4 can be read independently.
A commit-and-prove protocol for the above relation R has the same syntax as LPZK, and
should satisfy the following loosely stated properties (see, e.g., [38] for a formal definition).S. Dittmer, Y. Ishai, and R. Ostrovsky 5:11
Completeness If the prover runs honestly on (x, y, z) such that z = xy, then the verifier
always accepts.
Binding There is a deterministic extractor that given a line picked by a (potentially
malicious) prover outputs effective inputs (x∗ , y ∗ , z ∗ ) such that the following holds. Any
attempt of the prover to “explain” a different input triple (x′ , y ′ , z ′ ) (by revealing its
randomness) would lead to an inconsistent verifier view, except with the binding error
probability (over the choice of α).
Soundness For any malicious prover, if the extracted values (x∗ , y ∗ , z ∗ ) satisfy z ∗ ̸= x∗ y ∗ ,
then the verifier rejects except for the soundness error probability (over the choice of α).
Zero knowledge For any choice of α, the verifier’s evaluation on an honestly generated
line can be simulated without knowing x, y, z.
Random evaluation of the line picked by a prover (even a malicious one) effectively
commits the prover to unique values of x, y, z, in the sense that except for the binding error
probability it cannot reveal randomness that consistently explains different (x′ , y ′ , z ′ )), and
moreover the verifier rejects unless z = xy (except with soundness error probability).
3.1 Protocol
We construct our commit-and-prove protocol for the relation R(x, y, z) := xy − z as a
(5, 4, 1)-LPZK over F with binding and soundness error ≤ 2/|F|.
The (honest) prover chooses some triple (x, y, z) and constructs a line at + b by setting
a = (a1 , a2 , a3 , a4 , a5 ) := (x, y, z, xb2 + yb1 − b3 , 0)
with b1 , b2 , b3 , b4 chosen uniformly at random and b5 := b1 b2 − b4 . We write
v(t) := at + b,
for the line held by the prover, and v = aα + b for the point received by the verifier, for a
random α ∈ F. We likewise write the prover’s view of the entries as
v(t) = (v1 (t), v2 (t), v3 (t), v4 (t), v5 (t)),
and write vi for vi (α). The verifier now checks whether
v1 v2 − αv3 − v4 − v5 = 0.
We remark that it would be possible to present the same protocol as a (4, 5, 0)-LPZK by
dropping the v5 term and setting b4 := b1 b2 . This variant has the same communication and
computation complexity, but we give the (5, 4, 1)-LPZK construction here because it is more
similar to the construction in Section 4.
▶ Remark 6 (Extension to general arithmetic circuits). We can convert this protocol to an
LPZK for arithmetic circuits by placing all intermediate wire values into a and running
the commit-and-prove protocol for each multiplication gate. The binding property ensures
that the wire values match the values x, y, z for which the prover demonstrates xy = z. For
all multiplication gates whose inputs are intermediate values, the verifier no longer needs
to learn the values v1 , v2 masking the inputs x, y from VOLE, but can instead compute
them as a linear combination of previous multiplication gate outputs. This therefore gives
a communication cost of 3 field elements per multiplication gate. We improve on this by
batching together verification messages into blocks of size t, as we show in the next section.
ITC 20215:12 Line-Point Zero Knowledge and Its Applications
4 Information-Theoretic LPZK for Arithmetic Circuits
In this section we describe an information-theoretic LPZK for proving the satisfiability of
arithmetic circuits. A full proof, and more formal theoreom statement, of Theorem 1 are
given in the full version of this paper [23].
4.1 Setup
An arithmetic circuit C over a field F with k input wires, k ′ output wires, m multiplication
gates, and arbitrarily many addition gates can be converted into an ordered triple (a, QC , RC ),
where a = (a0 , a1 , . . . , ak+k′ +4m ) represent wire values. The input wires correspond to indices
0, 1, . . . , k, the intermediate wires correspond to indices k + 1, . . . , k + 4m, and the output
wires correspond to indices k + 4m + 1, . . . , k + k ′ + 4m. QC is a collection of m degree 2
polynomials, with the ith polynomial defined as
qi (a) := ak+4i−1 − ak+4i−3 ak+4i−2 ,
and RC is a set of linear relations defining certain ai ’s in terms of previous elements. Formally,
we write r · a for the standard dot product, and write RC as 2m + k ′ vectors ri corresponding
to the relations
r2i−j · a = ak+4i−2−j ,
for j ∈ {0, 1}, and 1 ≤ i ≤ m, where the only nonzero entries of r2i−j occur at indices ≤
k + 4i − 4, and
r2m+i · a = 0,
for 1 ≤ i ≤ k ′ .
The wires ak+4i are not needed for the insecure evaluation of the circuit, but we introduce
them now to keep indices consistent. We require that each of rj have zero at each of their
entries in positions k + 4i, for 1 ≤ j ≤ 2m + k ′ and 1 ≤ i ≤ m, i.e. the relations in RC cannot
depend on the unused ak+4i wires. We set a0 = 1 so that the relations RC can include
addition by constant terms.
′
We construct a NIZK in this setting. Using a (k+2m, k+2m, m t +k )-LPZK with soundness
error 2t/|F|, a prover P will convince a verifier V that they hold a witness w = (w1 , . . . , wk )
of circuit inputs to C such that the k ′ entries ak+4m+i = 0, for 1 ≤ i ≤ k ′ . The circuit C
and associated data k, k ′ , m and Q are public.
4.2 The LPZK construction
1
To begin, the prover constructs a pair of vectors (a, b) ∈ Fk+(4+ t )m+2 , with a0 = 1 and
b0 = 0. The next k elements of a are set equal to the witness w, and the corresponding
elements of b are chosen uniformly at random. Using the relations in RC , for the ith
multiplication gate, and for j ∈ {0, 1}, the prover defines
ak+4i−2−j := r2i−j · a
bk+4i−2−j := r2i−j · b
ak+4i−1 := ak+4i−3 ak+4i−2
ak+4i := ak+4i−3 bk+4i−2 + ak+4i−2 bk+4i−3 − bk+4i−1 ,S. Dittmer, Y. Ishai, and R. Ostrovsky 5:13
with bk+4i−j chosen uniformly at random, for j ∈ {0, 1}. Then, for 1 ≤ i ≤ k ′ , P sets
ak+4m+i = 0 and
bk+4m+i := r2m+i · b.
Next, P constructs a vector c of length m and defines
ci := bk+4i−3 bk+4i−2 − bk+4i ,
if this value is not equal to zero, and ci = 1 otherwise, for 1 ≤ i ≤ m. Finally, for
i = 1, . . . , m/t, P sets ak+k′ +4m+i = 0 and defines
t·i+t−1
Y
bk+k′ +4m+i := cj .
j=t·i
After constructing (a, b), the prover constructs a shortened pair of vectors (â, b̂) of length
k + k ′ + (2 + 1t )m + 1 by deleting the zeroth entry and the entries k + 4i − 2 − j, for 1 ≤ i ≤ m
and j ∈ {0, 1}, and performs LPZK with the verifier so that the verifier learns v̂ = αâ + b̂.
The verifier then computes from v̂ a vector v of length k + k ′ + (4 + 1t )m + 2 by re-indexing
to match the indexing of a and b, setting v0 = 1, and computing
vk+4i−2−j := r2i−j · v,
for 1 ≤ i ≤ m and j ∈ {0, 1}.
Then for 1 ≤ i ≤ k ′ , the verifier checks that r2m+i · v = vk+4m+i . Finally, the verifier
defines, for 1 ≤ i ≤ m, the values
xi := vk+4i−3 vk+4i−2 − αvk+4i−1 − vk+4i ,
when this is nonzero, and xi := 1 otherwise, and checks that
t·i+t−1
Y
xj = vk+k′ +4m+i .
j=t·i
5 LPZK in the Random Oracle Model
In the section we present Theorem 3, which gives an improved NIZK over random VOLE in
the random oracle model (ROM). This follows by applying the compiler of Lemma 5 to the
LPZK in following theorem.
▶ Theorem 7 (LPZK in the ROM). For any positive integer r, there exists an LPZK in
the ROM for arithmetic circuit satisfiability, with the following size parameters (n, n′ , n′′ )
and soundness error. If C has k inputs, k ′ outputs, and m multiplication gates, we have
n = k + k ′ + m + 2r, n′ = k, n′′ = k ′ + m + 2r. For any malicious prover making ℓ calls
to a random oracle H : Fm → Fmr , the soundness error is ε = |F| 2
+ |F|ℓ r . Moreover, the
computation of both the prover and the verifier consists of O(r|C|) field operations and a
single call to H.
At a high level, the LPZK construction begins by setting a equal to the wire values in the
circuit evaluation, and choosing b at random, as in § 4.2. To convince the verifier that all
multiplication gates have been evaluated correctly, the prover must show that a sequence of
ITC 20215:14 Line-Point Zero Knowledge and Its Applications
quadratic polynomials whose coefficients are determined by a and b each have leading term
zero, i.e. that this sequence of quadratics is actually a sequence of linear polynomials. The
protocol uses LPZK to reveal to the verifier a vector s of the evaluations of those quadratics
at α and then the prover must show they have vectors y, z such that s = yα + z. In other
words, the prover must show that y, z as VOLE inputs give s as a VOLE output.
To do this, prover and verifier choose a random r × m matrix M := H(w) by evaluating
a random oracle H on the prover messages w sent during the protocol. Then after adding
random masks from the LPZK to y, z, s, the verifier cheks that M s = M yα + M z.
5.1 The LPZK construction
Similar to § 4.2, the prover begins by constructing a line v(t) := at + b with v ∈
′
Fk+k +5m+3r+1 , and then reduces to a shorter v̂ that is used as VOLE input. For 0 ≤
i ≤ k + k ′ + 4m, the prover defines ai and bi identically to their definitions in § 4.2, except
each entry ak+4j is chosen uniformly at random from F, for 1 ≤ j ≤ m, and each entry bk+4j
is chosen so that bk+4j = bk+4j−1 . The partial redundancy between the k + 4j − 1th
and k + 4jth entry is to preserve the indexing of § 4.2 while enabling the reconstruction
of vk+4i−1 from vk+4i and the value of ak+4j − ak+4j−1 , as described below.
The next r entries of a and b are chosen uniformly at random from F. The remaining m+2r
entries of a are all set equal to zero, and the remaining m + 2r entries of b will be given
explicitly later. These m + 2r entries, in other words, can be sent from the prover to the
verifier directly without require any VOLE overhead.
For 1 ≤ i ≤ m, the prover computes
yi := bk+4i−1 − ak+4i−3 bk+4i−2 − ak+4i−2 bk+4i−3
and
zi := −bk+4i−3 bk+4i−2 ,
and defines y = (yi ) and z = (zi ), where i ranges from 1 to m. For r the positive integer fixed
in the statement of the theorem, let H : Fm → Fmr be a random oracle, and treat the output
of H as a matrix in Mr×m (F). The prover then defines w := (wi ) := (ak+4i−1 − ak+4i ),
where i ranges from 1 to m. The prover then sets
y := (ak+k′ +4m+1 , . . . , ak+k′ +4m+r )T + H(w)yT
and
z := (bk+k′ +4m+1 , . . . , bk+k′ +4m+r )T + H(w)zT .
For 1 ≤ i ≤ m, the prover sets
bk+k′ +4m+r+i := ak+4i−1 − ak+4i ,
then the prover sets
b[k + k ′ + 5m + r + 1 : k + k ′ + 5m + 2r] = y,
and
b[k + k ′ + 5m + 2r + 1 : k + k ′ + 5m + 3r] = z,
writing b[i, j] for the projection onto coordinates i through j inclusive.S. Dittmer, Y. Ishai, and R. Ostrovsky 5:15
Next, the prover computes from the pair (a, b) a line in a lower-dimensional space v̂(t) :=
′
ât + b̂ ∈ Fk+k +2m+3r . For 1 ≤ i ≤ k, we take âi = ai and b̂i = bi . For 1 ≤ i ≤ m
we take âk+i = ak+4i and b̂k+i = bk+4i . For 1 ≤ i ≤ r, we take âk+m+i = ak+k′ +4m+i
and b̂k+m+i = bk+k′ +4m+i . The remaining k ′ + m + 2r values of a we set equal to zero.
For 1 ≤ i ≤ k ′ , we set b̂k+m+r+i = r2m+i · b. For 1 ≤ i ≤ m, we set b̂k+k′ +m+r+i = wi =
ak+4i−1 − ak+4i . Finally, for 1 ≤ i ≤ 2r, we set b̂k+k′ +2m+r+i = bk+k′ +5m+r+i .
Now, having constructed v̂(t), the prover and verifier run LPZK so that the verifier
learns v̂(α), and, similar to § 4.2, expands v̂(α) to a vector v = aα + b. The verifier
reconstructs vk+4i−1 as
vk+4i−1 = vk+4i + αvk+k′ +m+r+i ,
and the other missing values as in § 4.2.
The verifier now computes, for 1 ≤ i ≤ m,
si := vk+4i−1 α − vk+4i−3 vk+4i−2 ,
the vector s = (si ), and the value
s := (vk+k′ +4m+1 , . . . , vk+k′ +4m+r )T + H(w)sT ,
yα := (v[k + k ′ + 5m + r + 1 : k + k ′ + 5m + 2r])
zα := (v[k + k ′ + 5m + 2r + 1 : k + k ′ + 5m + 3r])
and returns rej unless yα + z = s. Then for 1 ≤ i ≤ k ′ , the verifier checks that r2m+i · v =
vk+4m+i and returns rej if any test fails, and acc otherwise.
6 Non-Interactive Secure Computation
In this section we apply LPZK towards simplifying and improving the efficiency of the
reusable protocol for non-interactive secure computation (NISC) from [19]. Our construction
relies on a variant of VOLE called certified VOLE, described in more detail in § 6.2.
6.1 NISC definition
We start by giving a simplified definition of reusable NISC over VOLE, which strengthens
the definition from [19]. The definition can be seen as a natural extension of the definition of
LPZK to the case of secure computation, where both the sender and the receiver have secret
inputs. Instead of the prover encoding its witness as a line and the verifier picking a random
point, here the sender encodes its input as multiple lines and the receiver encodes its input
as multiple points, one for each line. (The lines are the sender’s VOLE inputs and the points
are the receiver’s VOLE inputs.)
At a high level, reusable security is ensured by preventing a malicious sender from
making the receiver’s output depend on its input beyond the dependence allowed by the
ideal functionality. This is contrasted with OT-based NISC protocols, where the sender can
learn a receiver’s OT input by starting from an honest strategy and replacing one of the
sender OT inputs by a random one.
We formulate the NISC definition for arithmetic functions f defined over an arbitrary field
F, where the security error vanishes with the field size. For simplicity we consider a single
function f and information-theoretic security. The definition can be naturally generalized to
take a function description as input and allow computational security.
ITC 20215:16 Line-Point Zero Knowledge and Its Applications
▶ Definition 8 (Reusable arithmetic NISC). A reusable non-interactive secure computation
(NISC) protocol over VOLE for an arithmetic function f : Fn × Fm → Fℓ is a triple of
algorithms (R1, S, R2) with the following syntax:
R1(F, x) is a PPT algorithm that, given an input x ∈ Fn , outputs points (α1 , . . . , αn′ ) ∈
′
Fn and auxiliary information aux.
S(F, y) is a PPT algorithm that, given y ∈ Fm , outputs n′ pairs of vectors ai , bi ∈ Fs ,
each specifying an affine line vi (t) := ai t + bi .
R2(F, aux, (v1 , . . . , vn′ )) is a polynomial-time algorithm that, given auxiliary information
aux and evaluations vi , outputs either z ∈ Fℓ or rej.
The algorithms (R1, S, R2) should satisfy the following security requirements:
Completeness. When both parties follow the protocol, running the above algorithms in
sequence, with vi = vi (αi ), results in the output z = f (x, y).
Reusable ε-security against malicious sender. There exists a polynomial-time
extractor algorithm Ext such that for any field F and lines vi∗ (t) := ai∗ t + b∗i , the output of
Ext(F, (a1∗ , b∗1 ), . . . , (an∗ ′ , b∗n′ )) is y∗ ∈ Fm ∪ {⊥} such that the following holds: for every
honest receiver’s input x ∈ Fn , the receiver’s output when interacting with malicious
sender strategy vi∗ (t) is equal to f (x, y∗ ) except with ≤ ε probability over the receiver’s
randomness. Here we assume that the output on ⊥ is rej. Unless otherwise specified, we
assume ε ≤ O(1/|F|). We will also use a random-input variant of the above definition,
where the probability is over both the receiver’s randomness and a uniformly random
choice of x ∈ Fn .
Perfect security against malicious receiver. There exist a polynomial-time ex-
tractor algorithm Ext and PPT simulator algorithm Sim such that, for any field F
and malicious receiver points α1∗ , . . . , αn∗ ′ ∈ F, the extractor outputs an effective in-
put x∗ = Ext(F, (α1∗ , . . . , αn∗ ′ )), where x∗ ∈ Fn , such that the following holds. For every
honest sender’s input y ∈ Fm , the output distribution of Sim(F, f (x∗ , y))} is identical to
R
{(v1 (α1∗ ), . . . , vn′ (αn∗ ′ )) : (v1 (t), . . . , vn′ (t)) ←
− S(F, y)}.
We note that instead of allowing the receiver to output rej, we could instead make the
receiver use a default value for the sender input and compute the output of f . However,
making the receiver reject whenever it detects cheating makes protocol descriptions more
natural.
The definition above does not permit the sender to transmit additional values to the
receiver in the clear. In order to simplify the definition and the proofs, we note that we can
realize plaintext transmission from sender to receiver as a reusable NISC protocol over VOLE.
The function f (x, y) := y prints the sender input, the algorithm R1(F, x) outputs random
points α1 , α2 , and the sender algorithm S(F, y) outputs ai := 0 and bi = y for i = 1, 2.
Finally, R2(F, (v1 , v2 )) rejects if v1 ̸= v2 , and outputs v1 otherwise. The security conditions
are straightforward to verify.
In the proofs below, when we refer to “sending values in the clear”, we formally mean
the protocol above. In actual applications, of course, we will continue to send the plaintexts
directly. We use direct transmission, rather than this more involved NISC protocol, in our
analysis of computation and communication complexity.
Throughout this section, whenever we desire to refer to the jth entry of a vector ai , bi , vi ,
etc, we write the entry as aji , bji , vij , etc.S. Dittmer, Y. Ishai, and R. Ostrovsky 5:17
6.2 Certified VOLE
The main building block for NISC is a certified variant of VOLE, allowing the sender and
the receiver to invoke multiple parallel instances of VOLE while assuring the receiver that
the sender’s VOLE inputs satisfy some global consistency relation.
6.2.1 Definitions and results
In its general form, certified VOLE with a general arithmetic relation, the VOLE consistency
requirement is specified by a general arithmetic circuit. We write cVOLE for this form of
certified VOLE.
We begin with a more specialized form, distributional certified VOLE with equality
constraints, which we write as eVOLE. In this variant of certified VOLE, the arithmetic
circuit on the family of VOLEs is restricted to a single equality constraint between two
coefficients from a vectors. In eVOLE, we require additionally that R’s inputs are uniformly
distributed over F and independent. It is straightforward to extend this result to an arbitrary
set of equality constraints on terms from a and b vectors, and we explain the details below.
Certified VOLE of these flavors can be realized by extending a family of random VOLEs
with a NIZK proof that the random VOLEs satisfy the desired constraints. We give more
precise definitions of these forms of certified VOLE as ideal functionalities in Figures 1 and 2.
We state this result as the following two lemmas.
(F)
▶ Lemma 9. A receiver R and a sender S can realize the functionality FeV OLE with
parameters (ℓ1 , ℓ2 , i, j) in the rVOLE hybrid model with 2 instances of random VOLE of
total length ℓ1 + ℓ2 + 2 and communication of 3 field elements from sender to receiver, in
addition to any communication cost for transforming random VOLEs to the VOLEs with
inputs (â1 , b̂1 , â2 , b̂2 ).
▶ Lemma 10. Fix an integer t ≥ 1. A receiver R and a sender S can realize the functional-
(F)
ity FcV OLE , in the rVOLE hybrid model with k+2 instances of random VOLE. For a circuit C
with qa inputs from the âi ’s, qb inputs from the b̂i ’s, q ′ outputs, and m multiplication gates,
these VOLE instances have total length
k
X
2m + 6qa + 7qb + ℓi ,
i=1
and the protocol requires communication of
k
X
(2 + 1t )m + q ′ + 8qa + 9qb + 2 ℓi
i=1
field elements from sender to receiver.
6.2.2 The protocols
eVOLE
eVOLE is a special case of reusable arithmetic NISC where the receiver has no inputs, and
R1(F) outputs uniformly random and independent points (α, β), and stores their values as the
auxiliary information aux := (α, β). The sender’s input y := (â1 , b̂1 , â2 , b̂2 ) is two existing
VOLE inputs, and the algorithm S(F, y) outputs vectors (a1 , b1 , a2 , b2 ) whose first ℓ, ℓ, ℓ′ ,
ITC 20215:18 Line-Point Zero Knowledge and Its Applications
(F)
Functionality FeV OLE : Distributional certified VOLE with equality constraint
Parametrized by a finite field F, length parameters (ℓ1 , ℓ2 ), and integers i, j with
1 ≤ i ≤ ℓ1 and 1 ≤ j ≤ ℓ2 .
(F)
R sends x := (α, β) to FeV OLE
// Receiver security is only required for random inputs
(F)
S sends y := (â1 , b̂1 , â2 , b̂2 ) to FeV OLE , where âk , b̂k ∈ Fℓi
(F)
FcV OLE verifies that âi1 = âj2 .
If the input does not pass verification, the ideal functionality sends ⊥ to R.
(F)
Otherwise, FcV OLE computes v̂1 := â1 α + b̂1 and v̂2 := â2 β + b̂2 and sends
f (x, y) := (v1 , v2 ) to R.
Figure 1 Distributional certified VOLE with equality constraints.
(F)
Functionality FcV OLE : Parametrized by a finite field F, a sequence of k positive
Pk
integers ℓ1 , . . . , ℓk , and an arithmetic circuit C on q ≤ 2 i=1 ℓi inputs.
Setup phase
(F)
R sends to FcV OLE its input x := (α1 , . . . , αk ) ∈ Fk .
Send phases
(F)
S sends y := (â1 , . . . , âk , b̂1 , . . . , b̂k ) to FcV OLE , where âi , b̂i ∈ Fℓi
(F)
FcV OLE verifies that (â1 , . . . , âk , b̂1 , . . . , b̂k ) is a satisfying assignment for C.
If the input does not pass verification, the ideal functionality sends ⊥ to R.
(F)
Otherwise, FcV OLE computes v̂i := âi αi + b̂i and sends f (x, y) := (v̂1 , . . . , v̂k )
to R.
Figure 2 Certified VOLE with a general arithmetic relation.
and ℓ′ coordinates are equal to (â1 , b̂1 , â2 , b̂2 ), respectively. The remaining values are defined
′ ′
as aℓ+1
1 := b̂j2 , aℓ2 +1 := b̂i1 , with bℓ+1
1 and bℓ2 +1 chosen uniformly at random. In addition, the
′
sender sends the value bℓ+1 1 − bℓ2 +1 in the clear.
The VOLE protocol evaluates the sender’s output on α and β, respectively, so that in an
honest run of the protocol, the receiver learns v1 := a1 α + b1 and v2 := a2 β + b2 . In the
algorithm R2(F, aux, (v1 , v2 )), the receiver tests whether
′ ′
βv1i − αv2j + v1ℓ+1 − v2ℓ +1 = bℓ+1
1 − bℓ2 +1 .
The receiver rejects if the test fails, and otherwise outputs the vectors v̂1 , v̂2 obtained by
deleting the last element from v1 , v2 .
This protocol can be modified to prove constraints of the form âi1 = b̂j2 or b̂i1 = b̂j2 for the
same communication cost and one or two additional multiplications, respectively, by the
receiver. Indeed, by multiplying v1 by α−1 or v2 by β −1 , the receiver can locally obtain the
VOLE outputs w1 := α−1 b1 + a1 and w2 := β −1 b2 + a2 , and the same construction above
applies to the pair v1 , w2 or the pair w1 , w2 .
Additionally, since the eVOLE protocol transforms VOLE inputs âi , b̂i for the sender
into extended VOLE inputs ai , bi and delivers extended VOLE outputs vi to the receiver,
this protocol can be implemented repeatedly on the same two instances of VOLE, proving c
equality constraints with VOLEs of length ℓ + c, ℓ′ + c.You can also read
